NEWS FROM THE LAB - Friday, June 10, 2011

Does Facesnoop Really Hack Facebook Accounts? Posted by Sean @ 15:06 GMT

We came across a supposed hack-tool called "Facesnoop" this week.

The author uses YouTube videos to promote his software.

Facesnoop YouTube

Facesnoop 2 was released sometime recently and claims to have "ACTUAL video proof" that it works.

Facesnoop 2 YouTube
(ACTUAL must be better than actual.)

The video depicts the "hacking" of an account belonging to a young woman named Kristen.


We think Kristen is just a sockpuppet account, so we've blurred the profile picture.

Once you've watched the Facesnoop video, and decide to download, you're directed to a webpage at ShareCash.Org which prompts you to fill out Cost Per Action (CPA) affiliate marketing surveys. (Offers from many of the usual CPA suspects. This is how Facesnoop monetizes his software.)

There's a problem though.

This is what happens when you launch Facesnoop 2:

Facesnoop GUI, error

You get an "Unhandled Access Violation" exception that claims there is a "Net Framework 2.0 missing library". Most people probably click on the "Check For Updates" button at this point, and that opens a webpage requesting even more CPA surveys to be filled out.

Facesnoop's Facebook page has several complaints about this.

Facesnoop Facebook Page
(Seriously, who complains about a Facebook hack-tool failing to work on a Facebook Page???)

The Facesnoop author has created a newer page, and it opens to the Info tab to avoid visible complaints.

Facesnoop Facebook Page

All of the people complaining about the error shouldn't really be surprised though…

Examining the properties of the executable shows that it was designed to fail.

Facesnoop 2.exe Internal Name

Look: the Internal Name of the file is "Facesnoop 2 error.exe".

This isn't a hack-tool — it's a fraud-tool.

You can see more details in the executable's code:

Facesnoop 2 Hiew
(SHA-1: 2862de8e506414589b923f8faa49bf8fc81238e2)

E:\Nicolas\Code\fn2 error\Facesnoop 2 error\…

Nicolas? Hmm, where have we seen that name before?

Oh yes, the first video's sockpuppet "victim" was called Hayley.


And the Hayley account has a friend named Nicolas.


And the Nicolas account just happens to "like" Facesnoop. Is it the hack-tool author himself?

We don't know for sure.

All we do know, whomever Nicolas is really… he thinks you're a sucker.